In this article

In this article

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Roadmap

Summary: This guide presents a practical, scenario driven approach to designing and building secure ASP.NET applications for Windows 2000 and version 1.0 of the .NET Framework. It focuses on the key elements of authentication, authorization, and secure communication within and across the tiers of distributed .NET Web applications. (This roadmap: 6 printed pages; the entire guide: 608 printed pages)

Download

Contents

What This Guide Is About Part I, Security Models Part II, Application Scenarios Part III, Securing the Tiers Part IV, ReferenceWho Should Read This Guide?What You Must KnowFeedback and SupportCollaborators

What This Guide Is About

Secure communication (to ensure that messages remain private and are not altered by unauthorized parties)

Why authentication, authorization, and secure communication?

Security is a broad topic. Research has shown that early design of authentication and authorization eliminates a high percentage of application vulnerabilities. Secure communication is an integral part of securing your distributed application to protect sensitive data, including credentials, passed to and from your application, and between application tiers.

There are many technologies used to build .NET Web applications. To build effective application-level authentication and authorization strategies, you need to understand how to fine-tune the various security features within each product and technology area, and how to make them work together to provide an effective, defense-in-depth security strategy. This guide will help you do just that.

Figure 1 summarizes the various technologies discussed throughout the guide.

Figure 1. .NET Web application security

The guide is divided into four parts. The aim is to provide a logical partitioning, which will help you to more easily digest the content.

Part I, Security Models

Part I of the guide provides a foundation for the rest of the guide. Familiarity with the concepts, principles, and technologies introduced in Part I will allow you to extract maximum value from the remainder of the guide. Part I contains the following chapters.

This chapter describes the common characteristics of .NET Web applications from a security perspective and introduces the .NET Web application security model. It also introduces the set of core implementation technologies that you will use to build secure .NET Web applications.

Designing a coherent authentication and authorization strategy across your application's multiple tiers is a critical task. This chapter provides guidance to help you develop an appropriate strategy for your particular application scenario. It will help you choose the most appropriate authentication and authorization technique and apply them at the correct places in your application.

This chapter introduces the two core technologies that can be used to provide message confidentiality and message integrity for data that flows across the network between clients and servers on the Internet and corporate intranet. These are SSL and IPSec. This chapter also discusses RPC encryption, which can be used to secure the communication with remote serviced components.

Part II, Application Scenarios

Most applications can be categorized as intranet, extranet, or Internet applications. This part of the guide presents a set of common application scenarios, each of which falls into one of those categories. The key characteristics of each scenario are described and the potential security threats analyzed.

You are then shown how to configure and implement the most appropriate authentication, authorization, and secure communication strategy for each application scenario.

This chapter describes how to secure common Internet application scenarios.

Part III, Securing the Tiers

This part of the guide contains detailed drill-down information that relates to the individual tiers and technologies associated with secure .NET Web applications. Part III contains the following chapters.

This chapter provides in-depth security recommendations for ASP.NET Web applications. It describes how to implement Forms and Windows authentication and how to perform authorization using the various gatekeepers supported by ASP.NET. Among many other topics, it also discusses how to store secrets, how to use the correct process identity, and how to access network resources such as remote databases by using Windows authentication.

This chapter explains how to secure business functionality in serviced components contained within Enterprise Services applications. It shows you how and when to use Enterprise Services (COM+) roles for authorization, and how to configure RPC authentication and impersonation. It also shows you how to securely call serviced components from an ASP.NET Web application and how to identify and flow the original caller's security context through a middle tier serviced component.

This chapter focuses on platform-level security for Web services using the underlying features of Internet Information Services (IIS) and ASP.NET. For message-level security, Microsoft is developing the Web Services Development Kit, which allows you to build security solutions that conform to the WS-Security specification, part of the Global XML Architecture (GXA) initiative.

The .NET Framework provides a remoting infrastructure that allows clients to communicate with objects, hosted in remote application domains and processes or on remote computers. This chapter shows you how to implement secure .NET Remoting solutions.

This chapter presents recommendations and guidance that will help you develop a secure data access strategy. Topics covered include using Windows authentication from ASP.NET to the database, securing connection strings, storing credentials securely in a database, protecting against SQL injection attacks, and using database roles.

Part IV, Reference

This reference part of the guide contains supplementary information to help further your understanding of the techniques, strategies, and security solutions presented in earlier chapters.

Who Should Read This Guide?

If you are a middleware developer or architect, who plans to build, or is currently building .NET Web applications using one or more of the following technologies, you should read this guide.

ASP.NET

Web services

Enterprise Services

Remoting

ADO.NET

What You Must Know

To most effectively use this guide to design and build secure .NET Web applications, you should already have some familiarity and experience with .NET development techniques and technologies. You should be familiar with distributed application architecture and if you have already implemented .NET Web application solutions, you should know your own application architecture and deployment pattern.

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.